Win32.Sality does not get recognized!

Hi there,

I’m just after the weekend spent on fighting with Win32.Sality and yes, Comodo Antivirus (the most recent version with the most recent virus DB) doesn’t seem to deal well with this severe virus. Although it reports some unknown malware when executing the infected file, it’ doesn’t seem to stop the virus from it’s activity just after running the infected EXE. The virus, besides infecting other files, running NETSH, etc. messes up the Comodo software.

I’ve got several infected files, so I can send them to the COMODO developers. It’s quite surprising that such an old and quite dangerous virus is not recognized by one of the most popular free security software like COMODO…

Below the information from VirusTotal:

Antywirus Wersja Ostatnia aktualizacja Wynik
a-squared 4.0.0.101 2009.06.01 -
AhnLab-V3 5.0.0.2 2009.05.31 -
AntiVir 7.9.0.180 2009.05.30 W32/Sality.AC
Antiy-AVL 2.0.3.1 2009.06.01 -
Authentium 5.1.2.4 2009.06.01 W32/Sality.AL
Avast 4.8.1335.0 2009.05.31 Win32:Sality
AVG 8.5.0.339 2009.06.01 Win32/Sality.V
BitDefender 7.2 2009.06.01 Win32.Sality.OX
CAT-QuickHeal 10.00 2009.06.01 W32.Sality.Y
ClamAV 0.94.1 2009.06.01 -
Comodo 1227 2009.06.01 -
DrWeb 5.0.0.12182 2009.05.29 Win32.Sector.19
eSafe 7.0.17.0 2009.05.27 -
eTrust-Vet 31.6.6530 2009.05.30 Win32/Sality.AI
F-Prot 4.4.4.56 2009.06.01 W32/Sality.AL
Fortinet 3.117.0.0 2009.06.01 -
GData 19 2009.06.01 Win32.Sality.OX
Ikarus T3.1.1.57.0 2009.06.01 -
K7AntiVirus 7.10.749 2009.05.29 -
Kaspersky 7.0.0.125 2009.06.01 Virus.Win32.Sality.ae
McAfee 5632 2009.05.31 W32/Sality.gen.c
McAfee+Artemis 5632 2009.05.31 W32/Sality.gen.c
McAfee-GW-Edition 6.7.6 2009.05.29 Win32.Sality.AC
Microsoft 1.4701 2009.06.01 Virus:Win32/Sality.AM
NOD32 4117 2009.05.30 Win32/Sality.AE
Norman 6.01.05 2009.05.29 W32/Sality.AR
nProtect 2009.1.8.0 2009.05.31 Virus/W32.Sality.B
Panda 10.0.0.14 2009.05.31 W32/Sality.AQ
Rising 21.32.00.00 2009.06.01 -
Sophos 4.42.0 2009.06.01 Mal/Sality-C
Sunbelt 3.2.1858.2 2009.05.31 Virus.Win32.Sality.az (v)
Symantec 1.4.4.12 2009.06.01 W32.Sality.AM
TheHacker 6.3.4.3.334 2009.05.29 -
TrendMicro 8.950.0.1092 2009.06.01 PE_SALITY.AZ
VBA32 3.12.10.6 2009.05.31 Virus.Win32.Sality.AC
ViRobot 2009.6.1.1762 2009.06.01 -
VirusBuster 4.6.5.0 2009.05.31 Win32.Sality.AQ.Gen

Cheers,Tomasz

Win32/Sality has a lot of variants.
That’s mean one virus can be a little different from orgin.
Some Anti-Virus software didn’t have a flexibility for deal with this virus.

Some miss, some catch it’s just the way things are…
Please follow this method of submitting malware to comodo
https://forums.comodo.com/empty-t36051.0.html

Did you not get any popups from D+? Can anyone confirm this?

metalforlife:

well yes - that’s how I realised something wrong is happening - the D+ stared showing message ballons (not confirmation prompts!) that different applications (mainly those that I had set to autorun) were modifying other application or processes. Another indication was firewall that indicated outgoing and incomming connections from strange IP addresses to the applications that were being dynamically created in the temp directory.

Before I formatted the HD (got to the point where about 300 files were infected and some couldn ot be haled by AVK’s rmslt.exe) I managed to get regedit and processexplorer working and one thing I observed was that the infected applications were infecting cfp.exe also. After that Comodo was reporting problems and a need for repaie process.

Petit: yes, but non polymorfic viruses are piece of cake :wink: polymorfizm detection is the functionality you expect rfom the antivirus software…

Kyle: sure, but it’s apity the COMODO is in that only 10% that don’t… ;(

I’m gonna submit couple of infected files to COMODO, hope it will help the team improve that good product.

If anyone have some questions about that virus - do not hesitate to ask - let my hours spent on that yesterday may be helpfull for the others. Heres pretty good description of what was happening on my system, however it doesn’t mention about executing the NETSH.EXE: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=52797

Cheers,Tomasz

Hallo Tomasz,

Thanks for sending these samples to Comodo AV labs, as indeed a family signature ought to be developed to address these vectors which were sighted in the wild before Comodo even started to develop its AV.

Please submit them to CIMA/CAMAS (along with a link as well).

BTW were you able to identify how you did get infected in the first place?

The modifications carried by startup applications ought to be a propagation step of an active infection whereas the original infection vector should have been an unknown app.

Endymion,

OK, I’ll submit the infected file. The infection started by running the infected application that came from one of my employees (and unfortunately Comodo AV didn’t warn me when I touched that file) - I’ve reproduced that on the test environment. The best way to see what’s happening is run the infected EXE having the ProcessExplorer (sysInternals) open and see what’s happening to the applications that were autostarted. The system infection begins when the virus displays the fake error message after running the infected EXE.

Tomasz

Thanks for the submission but please post a link to CIMA and visrustotal reports as well as it would be beneficial for the Leak Testing/Attacks/Vulnerability Research board.

Although the original vector should have been able to trigger alerts as well, it is indeed unfortunate that the AV didn’t get a signature for it and hopefully one will now be available soon enough.

It would be possible to increase the level of monitoring enabling Comodo - Proactive Security Configuration from the CIS tray icon menu (eg soon after installation) as I gather the default configuration that is provided when the AV is installed offload/disable some proactive protection by privileging detection of some types of threats whereas installing the firewall alone the proactive security would be selected by default.

You forgot a 0. Unless you do know of an antivirus client that is 100% effective all the time. If there is one, let me know and I’ll switch to it.

If you meant specifically in relation to this virus, well Comodo AV is rather new to the market. Still have to give it some time to settle in.